[Dnsmasq-discuss] Automatic DNSSEC-signing of ressource records
Rene Bartsch
ml at bartschnet.de
Thu Sep 11 19:54:56 BST 2014
Am 2014-09-11 15:50, schrieb Jeroen van der Ham:
> Hi,
>
> On 22 Aug 2014, at 16:57, Rene Bartsch <ml at bartschnet.de> wrote:
>> BIND and PowerDNS can sign resource records automatically when run as
>> primary DNS with DNSSEC. Does Dnsmasq support signing resource records
>> automatically in authoritative mode or are there any plans to support
>> automatic zone signing in authoritative mode?
>
> When exactly would you want dnsmasq to run as an authoritative name
> server?
>
> Note that signing records is not as simple as just flipping a switch,
> the key has to be trusted as well. Which means that you have to
> register a key at your registrar.
>
> If it is for private use, there is no reason to use DNSSEC anyway.
>
Yes, there is. ;-)
If you want to use your public domain in the local network (e.g. to
resolve hostnames on multiple locations/local networks) and verify host
certificates with DANE you usually have to run Dnsmasq as caching
resolver and DHCP-server on the router and an additionally primary
nameserver hosted in a data-center. You also have to synchronize a lot
of resource records between Dnsmasq DHCP and primary nameserver. If
Dnsmasq supports automatic signing of resource records and your internet
socket has a public static IP you save the additional primary nameserver
as Dnsmasq can handle this. And you do not need proprietary
synchronization mechanisms between Dnsmasq DHCP and primary nameserver.
You may also want to use Dnsmasq as a much simpler alternative to
BIND/PowerDNS.
Last but not least consumer routers can act as primary nameservers for
consumer domains with an easy to administrate web-interface.
--
Best regards,
Renne
More information about the Dnsmasq-discuss
mailing list